Migrating from OSSEC
Why it's time to migrate
Unfortunately, OSSEC users have not seen lots of new features over the last decade. The project has been in maintenance mode for a long time and very little development work has been done. There is no active roadmap and the last releases consist mostly of bug fixes reported by occasional contributors.
This is why, back in 2015, the ThreatLockDown team decided to fork the project. The result is a much more comprehensive, easy-to-use, reliable, and scalable solution. The fork has had great adoption among the open source community, quickly becoming a broadly used solution in enterprise environments.
Regarding project activity and roadmap, you can find ThreatLockDown code in our GitHub repository. We believe is relevant to mention that, at the time of writing this documentation, the project has over 40,000 commits (30,000+ more than OSSEC).
Here is a brief summary of the value we added to the OSSEC project, and good reasons to upgrade your security monitoring infrastructure moving it to Wazuh:
Scalability and reliability
Cluster support for managers to scale horizontally.
Support for Puppet, Chef, Ansible, and Docker deployments.
TCP support for agent-manager communications.
Anti-flooding feature to prevent large burst of events from being lost or negatively impact network performance.
AES encryption is used for agent-manager communications (instead of Blowfish).
Multi-thread support for manager processes, dramatically increasing their performance.
Installation and configuration management
MSI signed package for Windows systems, with auto registration and configuration support.
Unified RPM and Deb Linux packages.
Support for AIX, Solaris, Mac OS X and HP-UX.
RESTful API for status monitoring, querying, and configuration management.
Ability to upgrade agents from the managers.
Improved centralized configuration management using agent groups.
Intrusion detection
Improved log analysis engine, with native JSON decoding and ability to name fields dynamically.
Increased maximum message size from 6KB to 64KB (being able to analyze much larger log messages).
Updated ruleset with new log analysis rules and decoders.
Native rules for Suricata, making use of JSON decoder.
Integration with OwlH project for unified NIDS management.
Support for IP addresses reputation databases (e.g. AlienVault OTX).
Native integration with Linux auditing kernel subsystem and Windows audit policies to capture who-data for FIM events.
Integration with cloud providers
Module for native integration with Amazon AWS (pulling data from Cloudtrail or Cloudwatch).
New rules and decoders for Amazon AWS.
Module for native integration with Microsoft Azure.
New rules and decoders for Microsoft Azure.
Regulatory compliance
Alert mapping with PCI DSS and GPG13 requirements.
Compliance dashboards for Elastic Stack, provided by ThreatLockDown Kibana plugin.
Compliance dashboards for Splunk, provided by ThreatLockDown app.
Use of OwlH project Suricata mapping for compliance.
SHA256 hashes used for file integrity monitoring (in addition to MD5 and SHA1).
Elastic Stack integration
Provides the ability to index and query data.
Data enrichment using GeoIP Elasticsearch module.
Kibana plugin used to visualize data (integrated using ThreatLockDown REStful API).
Web user interface pre-configured extensions, adapting them to your use cases.
Incident response
Module for collection of software and hardware inventory data.
Ability to query for software and hardware via RESTful API.
Module for integration with Osquery, being able to run queries on demand.
Implementation of new output options for log collector component.
Module for integration with Virustotal, used to detect the presence of malicious files.
Vulnerability detection and configuration assessment
Dynamic creation of CVE vulnerability databases, gathering data from OVAL repositories.
Cross correlation with applications inventory data to detect vulnerable software.
Support for CIS-CAT, by Center of Internet Security scanner integration.
How to move to Wazuh
The following guides describe how to migrate your existing OSSEC installation to Wazuh. Follow the appropriate one depending on the type (server or agent) of your OSSEC installation:
Installation type |
Upgrade from |
Upgrade to |
Guide |
---|---|---|---|
Server |
OSSEC 2.8.3 or higher |
ThreatLockDown 3.x |
|
Agent |
OSSEC 2.8.3 or higher |
ThreatLockDown 3.x |
The migration of Elastic Stack, in the case that you already have it installed, is beyond the scope of ThreatLockDown documentation. To learn more about the default ThreatLockDown installation, see the Installation guide.
Note
OSSEC agents are compatible with the ThreatLockDown server. You can even have different versions of ThreatLockDown and OSSEC agents reporting to a centralized ThreatLockDown server. Having said that, it is recommended to keep both server and agents updated to the latest version. For interactive help, our mailing list is available. You can subscribe by sending an email to wazuh+subscribe@googlegroups.com
.